Basaren Drift AS fined
The Norwegian Data Protection Authority has fined Basaren Drift AS EUR 20,000 (NOK 200,000) for a GDPR violation. The case relates to CCTV surveillance of restaurant premises.
The Norwegian Data Protection Authority has fined Basaren Drift AS EUR 20,000 (NOK 200,000) for a GDPR violation. The case relates to CCTV surveillance of restaurant premises.
The General Data Protection Regulation (GDPR) requires that all processing of personal data must have a legal basis. Having investigated a complaint relating to CCTV surveillance of a restaurant’s premises, the Norwegian Data Protection Authority has concluded that Basaren did not have a legal basis for its surveillance.
In addition, the Norwegian Data Protection Authority has concluded that the business did not provide adequate information about the CCTV surveillance and that its written procedures were inadequate.
- With respect to the processing of personal data, the principles of lawfulness and transparency are completely fundamental. Violation of these principles is a serious matter, says Bjørn Erik Thon, Director-General of the Data Protection Authority.
- In this case, we have concluded that the CCTV cameras filmed more of the restaurant's premises than necessary, and that round-the-clock surveillance was unnecessary.
The Data Protection Authority finds that this case is so severe that a fine is the appropriate corrective measure. Importance is attached to the fact that the CCTV surveillance impacted both the restaurant employees and its guests.
- Everyone has a right to privacy, also when we are at work. CCTV surveillance must comply with strict conditions, particularly in the workplace, explains Bjørn Erik Thon.
- In this case, we have attached importance to the fact that the unlawful CCTV surveillance has filmed employees, and that the cameras covered guest seating areas in the restaurant. Restaurant guests have a legitimate expectation of not being filmed while they are dining there. In places used for relaxation, recreation and social gatherings, the privacy of guests must therefore be accorded considerable weight, concludes Thon.
The extent of the fine was determined on the basis of an overall assessment of the severity of the violation and the organisation's financial situation, among other factors.